Skip to content

Commit 1aec742

Browse files
douglasbagnallabartlet
douglasbagnall
authored and
abartlet
committed
pidl: check the size of pulled arrays of arrays
We were accidentally checking the memory just past the array instead of checking each member. This could have led to the size of some arrays not being checked. Found by Michael Hanselmann using Honggfuzz and an fuzzer for Samba's NDR layer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=13877 Signed-off-by: Douglas Bagnall <[email protected]> Pair-programmed-with: Andrew Bartlett <[email protected]> Signed-off-by: Andrew Bartlett <[email protected]> Reviewed-by: Andrew Bartlett <[email protected]>
1 parent 536a849 commit 1aec742

File tree

2 files changed

+4
-1
lines changed

2 files changed

+4
-1
lines changed

pidl/lib/Parse/Pidl/Samba4/NDR/Parser.pm

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1247,10 +1247,14 @@ sub ParseElementPullLevel
12471247

12481248
if ($deferred and ContainsDeferred($e, $l)) {
12491249
$self->pidl("for ($counter = 0; $counter < ($length); $counter++) {");
1250+
$self->defer("for ($counter = 0; $counter < ($length); $counter++) {");
1251+
$self->defer_indent;
12501252
$self->indent;
12511253
$self->ParseElementPullLevel($e,GetNextLevel($e,$l), $ndr, $var_name, $env, 0, 1);
12521254
$self->deindent;
1255+
$self->defer_deindent;
12531256
$self->pidl("}");
1257+
$self->defer("}");
12541258
}
12551259

12561260
$self->ParseMemCtxPullEnd($e, $l, $ndr);

selftest/knownfail.d/ndrdump

Lines changed: 0 additions & 1 deletion
This file was deleted.

0 commit comments

Comments
 (0)